The 10 Most Overlooked Aspects of Security
Think your organization has all its security bases covered? You might think twice after checking out this list
November 29, 2006
Before you hunker down, all comfy and cozy, in front of a crackling holiday fire, hold the fruitcake and eggnog: Feel like you're forgetting something?
Most likely, you are.
Did you post a surveillance camera in your server room? Check the trash can for discarded disk drives that weren't wiped clean of sensitive data? Do a deep background check on that new database administrator you hired? Look into that new third-party security services offering?
Encrypt the backup of the year-end financial data?
Gulp. Maybe you're not quite ready for the holidays.
You'd better watch out. But don't cry, and don't pout, because you're not alone. Most organizations have at least a few security issues that have been lost in the shuffle, and it's not too late to give them some attention.
So, with the help of Dark Reading's editorial advisory board, we've compiled this list of The 10 Most Overlooked Aspects of IT Security, along with the risks of skipping out on them, and some advice on how to attend to them. Our research turned up a wide variety of opinions on these topics, many of which are environment-dependent, so we're giving you this list in no particular order. You decide which bases you've got covered -- and which ones need your attention.
Consider this our contribution to your holiday shopping list. Post 'em on your blog and the company intranet, pass them on to your colleagues and business partners, all in good cheer. There is still plenty of time to make your own list -- and check it twice.
(Editor's note: If there are other commonly forgotten security measures you've just remembered, we'd love to hear about them. Please send comments via the message board associated with this story, not by email. All postings are completely anonymous. Enjoy.)
Contents:
Page 2: Physical security
Page 4: Background checks
Page 8: Training
Page 10: Encryption
— The Staff, Dark Reading
Next Page: Physical security
When you review your IT security architecture, you probably don't consider your organization's physical security. But that can be a lethal oversight.
"In order to truly achieve 'defense in depth,' we have to think physical security as well as information security. The best [logical] security can't prohibit a physical theft of a server if the computer room is not adequately protected," says Steve Delahunty, senior associate with Booz Allen Hamilton.
More often than not, the people who do IT security and the people who do physical security in large organizations don't work with one another. Many small- to mid-sized enterprise IT security groups may overlook physical issues altogether. It's not until a building break-in occurs that the two may even meet at all.
"It's always somebody else's fault when there's a break-in in the building," says Steve Stasiukonis, vice president and founder of Secure Network Technologies, regarding IT security blaming facilities management and vice versa. But IT security should be on the same team as the facilities management group, he says.
In many organizations, physical security is often focused more on protecting copiers, printers, and fax machines from theft -- not servers or computer equipment, Stasiukonis says.
"A lot of companies are allocating surveillance technology in the wrong places," he says, and not where intruders are more likely to gain access, such as the cargo landing where smokers take their breaks, or on the cafeteria patio.
Leaving physical access to chance in these areas makes it that much easier for an attacker to simply walk in and make a network attack or other breach.
"A lot of attacks become much easier because of physical security weaknesses," says Sean Kelly, technology consultant for Consilium1, who does penetration testing for clients. "It makes things a lot easier if you can walk in the door. And you don't have to be a technical person to perform these breaches -- it opens the door to a wider pool of data thieves."
Social engineering is way too easy a ploy to get a foot in the door, experts say. Stasiukonis, who stages social engineering exploits for his clients to audit their security, recently duped employees at a credit union client's facility, posing as a copier repairman stopping by to "clean" the copier machine.
"I busted into a credit union last week, wearing one of those copier company t-shirts," Stasiukonis says. "So I jacked in and grabbed the password and log-ins in clear text and then [used them] to break in from the outside, too."
Getting the IT and physical security teams together is crucial to thwarting social engineering attacks like these. But it's not easy to teach employees who to trust and who not to trust.
"Social engineering is a huge issue no matter what level of organization you're in," Consilium1's Kelly says. "Security awareness training needs to stress more on auditing and procedures to identify people you're giving information to, and for questioning people without badges."
Next Page: Proper disposal of devices, storage media, and sensitive documents
IT people hate dealing with trash. Attackers, on the other hand, love it. That should tell you something right there.
Each day, corporations dump tons of material on the curb, most of it useless landfill. But companies that don’t have strong policies on garbage disposal may be leaving bits of gold for hackers seeking passwords, customer information, or other sensitive data. And if they’re not careful, those organizations may just be throwing out the keys to their most valuable information.
One of the most frequently-overlooked treasures for attackers is the discarded hard drive. As companies upgrade their old machines, they often donate them to recycling centers, charities, or simply mark them as trash. But some IT departments are lax in their efforts to wipe those old hard drives clean, creating potentially damaging data leaks.
In a study published in August, researchers at the U.K.’s University of Glamorgan and Australia’s Edith Cowan University bought more than 300 hard drives in auctions and computer fairs all over the world. What they found was a surprising array of data that should have been erased long before the drives were sold or tossed. Some of the data included payroll information, employee names and photos, IP addresses, network information, mobile phone numbers, copies of invoices, and financial information such as bank and credit card accounts. (See Second-Hand Drives Yield First-Class Data.)
And the problem isn’t limited to hard drives. In a separate study also published in August, security firm Trust Digital made similar purchases of used cell phones and PDAs on eBay, and researchers were able to recover sensitive data on nine of ten devices in the study.
”The file system on your cell phone or PDA is just like the one on your PC’s hard drive,” said Norm Laudermilch, CTO at Trust Digital. “If you delete a file, you’re not really overwriting the data. All it’s doing is changing the index of the file system, or the file’s pointers.” (See Study: Used Cell Phones, PDAs Contain Confidential Data.)
And companies shouldn’t overlook one of the oldest forms of stolen data: paper trash, experts say. Jim Stickley, CTO at penetration testing company TraceSecurity, says he has found a wealth of sensitive information -- including user identities and passwords -- simply by dumpster-diving on unshredded company trash. “Shred, shred, shred,” he says. (See 'Analog Hackers' Overlooked, Undetected.)
Next Page: Background checks
A background check? When did it become necessary to do more than call references and verify past employment?
It's easy and tempting to overlook the character issue when hiring employees, or even managing them over the long term. But as the strategic value and importance of IT has risen, so has the need to make sure those with the keys to the kingdom aren’t eavesdropping, stealing, or worse.
"It's become more the norm that companies screen all their employees," said Jason Morris, president of Background Information Services, Cleveland. "People quickly realized that IT is one of their biggest liabilities -- when employees take home data tapes, for example. So they may not screen low-level carpet sweepers, but if they have access to sensitive areas, employers screen."
In addition to verifying education and previous employment, Morris encourages making sure there are no unexplained gaps in a candidate's job history. Are they claiming MCSE or Cisco router certifications? Get it confirmed, he suggests. "Driver's records could also be a good measure of responsibility, as are credit reports."
A basic check might include SSN verification, address history, and a search of county records for felonies and misdemeanors. Background research can get even more detailed (and expensive) with searches of sex offender databases, state and national archives, even international resources.
So how much should a company expect to spend on a background check? "It varies, but a good rule of thumb is one day's salary" for the position for which you're hiring, Morris says. "It can be a lot less too."
Doug Shields, president of Secure Networks finds less value in sifting through official records and prefers to drill down more on what he calls "character issues."
Shields, who worked at the CIA for nine years, is more interested in why a prospect left his last job, or if he was an Eagle scout, for example. "That may sound hokey, but it tells you something."
You can also learn about character issues by asking a candidate how they safeguard their own data. Do they use encryption on their personal laptop? Have they even set up a wireless LAN at home, and if so what security protocol did they use? The answers will tell you something about consistency and follow-through, Fields suggests.
And while screening before employment begins is great, it doesn't help much if you don't continue to keep tabs of some sort on employees. "If they go bad over time, you're not going to know about it" unless there's continued monitoring, Shields explains. "It doesn't matter what industry you're in. You have to make sure your stuff is secure and that people only have access to things they should have access to."
Next Page: Getting control of the at-home user
Out of sight, of out mind. Many IT departments carefully watch their employees in the office, but they fail to monitor just what software their users are installing or what hardware (think thumb drives and iPods) they're plugging into their desktop or laptop machines at home -- or who else may have access to those machines.
The rash of laptop losses and thefts at major corporations and government agencies over the past year has red-flagged the problem of securing data when it leaves company premises. But what about the machines that sit in home offices where telecommuters work daily, or company executives work after-hours? And what happens when a user's home is broken into and his laptop or PC stolen?
"The problem companies face with home workers is that the security boundary with the Internet has been extended to hundreds, even thousands of remote locations," says Geoff Bennett, director of product marketing at StreamShield. "The odds of a weak point are multiplied exponentially."
Ironically, top execs can be the biggest weakest links in the home-user chain. "The CEO and CFO want to store sensitive information locally on their laptops because they don't want to worry about VPNing in," says Consilium1's Kelly.
Few IT organizations have the means to restrict user-access when it's not on-site: Home users may leave their machines connected to the company network, or give passwords out to family or friends. And watch out for those technologically precocious kids in the house.
"In one instance, a CEO’s kid got on his machine and renamed critical financial files. The firm was unable to do a planned stockholders' meeting as a result," says Rob Enderle, principal analyst with the Enderle Group. "End point security remains important especially if the equipment isn’t on premise."
Security assessments are rarely, if ever, done of the homes of these users, Enderle says.
And now, as home users increasingly become the targets of phishing attacks and botnet attacks, the company-issued laptop and the user's home PC with VPN access can leave the corporate network at risk. "If their machine has turned into a zombie and has access through a VPN to the corporation, the corporation is clearly exposed," Enderle says.
Most zombie infections use keylogging, which captures password information. And a zombie PC also becomes a spam pipeline, says StreamShield's Bennett, which can wreak havoc since most corporate email systems are configured to filter inbound, not outbound, spam.
"The assumption is that one's own employees are not likely to send spam. But a compromised PC will act as a spam relay," he says, which could result in the company's legitimate email being blacklisted by other organizations.
One way to lock down home users is to eliminate VPN access and instead use biometric, multi-factor authentication to email and "the most limited set of resources needed to do the job," Enderle says.
A home security audit is also helpful, as well as training home users how to best protect their computer and the company network. "And the computer accessing the corporate resources should remain administered and patched, and protected to a degree sufficient for the level of access the remote employee has."
Next Page: Taking advantage of built-in security functions
Security is big business these days, and hardware vendors know it. As a result, many hardware vendors have begun to build security features directly into their devices, giving them out-of-the-box capabilities that are often unexplored or overlooked.
One of the best examples of this phenomenon is the Trusted Computing Group’s Trusted Platform Module (TPM) 1.2, a set of specifications that enables vendors to add a "security chip" microprocessor to any PC. TPM 1.1 chips made by vendors such as Atmel, Broadcom, and Infineon, have become standard issue on most PC hardware, but PCs that use TPM 1.2 only began shipping in the first half of this year.
Companies that have begun using TPM packages, such as Wave Systems’ Embassy Trust Suite 5.1, are giving it a thumbs up. "Using TPM and Embassy Trust Suite has made a huge difference in the way we administer security," says Chris Cahalin, network manager at Papa Gino's, which operates some 400 restaurants throughout New England. "It's not only made our client machines and files more secure, but it's given us a lot more control in IT."
ETS 5.1 is a set of security tools and applications that leverage TPM chips to encrypt files, folders, and passwords on a laptop or PC, leaving the key only in the hands of the end user and the IT department. The keys can be given out in the form of smart cards, or the user can be authenticated via biometrics or digital certificate.
The net result is that users of TPM 1.2 and ETS 1.1 can lock their hard drives, folders, and files via an encryption key that can only be decrypted by the authorized user. A thief can't read any of the files on a stolen TPM laptop, and even users inside the company can be locked out of sensitive files on any end station.
Although most new PCs have TPM, many enterprises have yet to turn on their functionality, concedes Steven Sprague, president and CEO of Wave Systems. "I would encourage every enterprise to take a few of their new PCs into the lab, turn on this technology, and see what it can do," he says. "It'll change the way they look at end-user security."
Most experts see TPM as a boon for enterprises because it is a standard that works uniformly across vendors and PC models. But they are more wary of proprietary built-in security capabilities that are now being added to consumer-oriented machines.
Over the last few weeks, PC hardware vendors have been rolling out security technology at a rapid rate. On Nov. 1, Hitachi Global Storage Technologies announced that it will offer optional hardware encryption on all of its new 2.5-inch disk drives, which are expected to ship at a rate of a million units per quarter in early 2007. That announcement came on the heels of new drives from Seagate Technology, which will not only offer hard drive encryption but also multi-factor authentication options that would make it impossible for unauthorized users to access any data on the hard drive. (See Built-in Headaches.)
Experts say these built-in technologies -- as well as built-in biometrics from PC vendors such as Lenovo -- are good for consumers, but they may conflict with encryption and authentication policies and technologies that enterprises already have in place.
"Built-in security items will cause IT department headaches," says Richard Stiennon, founder of IT-Harvest, an IT consulting firm. "The enterprise would have to standardize on the new Seagate drives or be looking for hard drive encryption help for particular projects.” As a result, many IT organizations will probably forbid the use of the new security technologies, Stiennon says.
Next Page: Analyzing trends in security log files
Log files are not so much overlooked as unappreciated. After all, it would be hard to overlook the mountain of data created each day by system hardware, network devices, PC hard drives, and IT security applications. In fact, most IT and security pros have so much log data that they typically only skim it, or ignore it altogether.
But log files can be the key to recognizing an attack, experts say. External attackers typically use methodical approaches that can be identified as log trends, enabling the IT organization to block or quarantine them. Internal attackers usually leave an audit trail in their logs that can be backtracked and exposed, enabling IT to catch the perpetrators red-handed.
The trick is learning how to analyze log files in a way that is thorough, yet not too time-consuming. For most IT organizations, this means using a combination of automated log file analyzers, security information management tools, and good old-fashioned detective work.
The automated tools for this task are improving, but they still aren’t perfect, notes Eric Ogren, an analyst at Enterprise Strategy Group. Some tools offer network behavior anomaly detection (NBAD), which continuously monitors application traffic (destination, source, protocol) but forces IT to manually associate user names with IP addresses. On the other hand, security information management (SIM) does a decent job of collecting log file information but is generally geared more toward historical analysis, rather than identifying potential attacks in real time.
There are a slew of tools that fall somewhere along the NBAD-SIM spectrum, including products from Arcsight, LogLogic, netForensics, and Securify. These tools identify trends and warning signs, but in the end, it’s usually a human analysis that identifies an attacker’s trail -- and what to do about it.
In his paper "Five Mistakes of Security Log Analysis," netForensics security strategist Anton Chuvakin says that many IT analysts do analyze their logs, but they fail to normalize the data or study it for a long enough period of time. Other IT analysts have good data, but they focus too closely on trying to find specific attack patterns, he says.
”To fully realize the value of log data, one has to take it to the next level of log mining: actually discovering things of interest in log files without having any preconceived notion of ‘what we need to find,’” Chuvakin says. “It sounds obvious -- how can we be sure that we know of all the possible malicious behavior in advance -- but it is disregarded so often.”
Next Page: Training
Some of the worst security problems originate from stupid things end users do -- from the seemingly obvious no-no of opening attachments from strangers, to connecting to the closest WiFi connection while on the road. Training, therefore, is a critical, but often overlooked, element of your security strategy. (See The 10 Most Dangerous Things Users Do Online.)
And that standard annual, 30- to 60-minute security awareness training session, where you pack in "everything" your users need to know about security, is no longer enough. "Many times, this is too much for the average user to absorb to be effective," says Todd Fitzgerald, systems security officer for United Government Services. "More frequent security reminders are needed in a way that is understood by the end user."
Security awareness training should be more "in your face" and "real," with things like posters, computer-based training, compliance tracking, and face-to-face interactive training, Fitzgerald says.
But today, security training isn't necessarily mandatory, and it's rarely a priority. Companies see security as more of a technical rather than a cultural issue, so organizations rely mainly on their investments in firewalls, antivirus, intrusion detection, and vulnerability assessment and penetration testing to protect their infrastructure and data, Fitzgerald says. But training employees is equally as important.
And many companies establish security policies and train their users initially, but when their policies or technologies change, they don't bother to re-educate users, experts say.
"Training is pretty rudimentary, and that's the problem," says Consilium1's Kelly.
Many companies miss things like process engineering, Kelly says, and putting in the proper policies. "If your vendor calls in for a password reset for their ID, for instance, how do you know they are authorized, and that it's the actual person you should be talking to? A lot of organizations don't have a good answer for that," he says. Back-end processes that identify users aren't necessarily in place, he says.
"You want the help desk to know they are giving the password to the right person and not to a social engineer."
Still, there's no easy way to measure how effective your security awareness and training program really is. The key to a good training program is identifying your audience and the level of training they need to do their jobs, Fitzgerald says. End users and technical staffers each require different types of training goals, he says, so be sure you're fashioning it properly for each group.
If you still need some incentive to beef up your organization's security awareness and end-user training, consider this: Top execs are typically not well-educated in security awareness, which is a key reason IT security doesn't always get the support and funding it needs.
Got your attention now?
Next Page: Outsourcing of security functions
Some security pros believe the introduction of a third party to any phase of IT increases the risk of a security breach. There is some truth to this maxim, but experts say IT people who are too dogmatic about third-party services are overlooking an excellent way to increase security capabilities and save money: outsourced security services.
Gartner, which had long been skeptical of third-party security services, reconsidered its position last year and began recommending that enterprises use outsourcing in selected areas of security. “Why should I filter out this garbage at my end?” asked Gartner vice president John Pescatore in a presentation. “Outsource as much of the busywork as you can, as soon as you can.”
Apparently, some enterprises have taken Gartner’s advice. According to an annual study released earlier this year by the Computer Security Institute and the FBI, offshore IT security work has increased significantly in the past year. Of the U.S. companies that indicated they farm out their security functions, the amount of work sent overseas has doubled in the past 12 months. (See CSI/FBI: Violations, Losses Down.)
Companies with an average revenue of less than $10 million outsourced 8 percent of their security functions overseas this year, compared with 6 percent last year, according to the CSI/FBI survey. Midsize companies of $100 million to $1 billion in revenue also nearly doubled the work they sent offshore, from 7 percent last year to 1 percent this year.
Large corporations with more than $1 billion saw the biggest increase in security outsourcing, sending 15 percent of their security functions offshore, up from 9 percent last year, according to the survey.
Although the volume of security functions sent overseas jumped significantly, the number of U.S. companies that use outsourcing has remained fairly stable. This year, 39 percent of the companies surveyed indicated they farm out varying degrees of their security work, compared with 37 percent last year.
In most cases, enterprises are using outsourcing companies for labor-intensive tasks such as maintaining and upgrading firewalls or doing log file analysis, experts say. Such an approach may cut the costs of handling these tasks while improving their overall efficiency, they say. Managed security services, in which providers offer a range of antivirus, anti-spyware, and intrusion detection capabilities, are still popular in small and medium-sized businesses, but have not deeply penetrated larger enterprises.
Next Page: Encryption
If encryption gets short shrift from IT, it's not because it's a low priority -- it's because encryption can be so complicated to manage. Questions about how to manage encryption keys, how to search encrypted archives, or where to deploy the technology continue to dog encryption initiatives.
But whether they think encryption is complicated, expensive, or unnecessary, many IT departments are being forced into deployment by various state and federal regulations governing data privacy or long-term archiving.
So where to begin with data encryption? Perhaps sensing all the user uncertainty on the technology, vendors are responding with encryption options up and down their product lines. (See Vendors Roll Out New Security Software for Mobile Devices, Seagate Unveils Encrypted Notebook Drive, and Strategic Security: Developing a Secure Email Strategy.)
The good news is there's no need to blanket the enterprise with it. Pick your spots, say experts. Many IT organizations have taken this to mean laptops and backup tapes -- any place where data is portable and at risk. Others also encrypt specific applications like email, or business processes like payroll and benefits.
"It makes sense to encrypt anywhere there's material risk to data being stolen," says John Rotchford, managing director, of Strategic Advisory Services International, Encinitas, Calif. "Laptops are a no-brainer, but encrypting data at rest in a data center doesn't make as much sense, since the chances of someone ripping open a storage array is probably pretty low."
Companies need to consider not just how they encrypt at wireline speed, but how to bring intelligence into the equation. IT has to be able to manage encrypted data, both in flight and at rest. And that means encrypted data must remain easily searchable, which requires a bit more forethought, said Eric Ogren, security analyst, with the Enterprise Strategy Group, Milford, Mass.
"You can still get full searchability through the indices, so the idea that you can't search them is a bit offbase," he notes. But it also requires users and IT personnel to agree on what's to be in the metadata and keyword tags so that searches are done on words or phrases the system knows how to spot.
Still, what about those hundreds, if not thousands, of laptops in use at any given moment -- or if you prefer, backup tapes being shuffled between locations? If one goes missing, how does the user or the enterprise get its encrypted data back? "That's the piece that makes it hard -- key management and keeping it simple and reliable. But that's what needs to happen," Ogren says. (See Multivendor Management Locked Up.)
IT will slog through these issues, but for those enterprises that aren't obligated, it's the early adopters that will sort out these management and administrative headaches. "A big sledge hammer is being used now [where encryption is concerned], but in the future it will be a lot more intelligent and surgical in its use," Rotchford adds.
Next Page: Integration of security with software development
You can blame this one on software developers, but the onus is on the security organization to press them to build more secure software.
Even seemingly minor coding errors in software can cause big-time security headaches down the line for enterprises that deploy the buggy software. Many developers -- both internal programmers and third-party software companies -- don't properly code their operating systems, applications, and network device software with security in mind from the get-go. And enterprises that install the resulting software eventually pay the price. (See CERT Seeks Secure Coding Input and Secure Coding Catches Fire.)
Vulnerabilities and attacks would be less pervasive if developers had better processes for identifying coding problems and other bugs that lead to security woes, experts say.
"There's not a lot of pressure [on vendors] to securely code things. Customers don't demand it," says Consilium1's Kelly. "Until organizations really start incorporating and integrating security into their development processes," there won't be much change, he says, although regulatory compliance demands are helping.
Robert Seacord, senior vulnerability analyst at CERT, concurs. "When and if customers elect to purchase products that are more secure over products that have more features, software vendors will develop and deliver more secure products."
Seacord heads up CERT's Secure Coding Initiative effort to build standards for developers to create safer and less error-prone software. The program tries to help developers do so while also "decreasing overall costs," Seacord says.
Microsoft is the most high-profile developer to embrace a secure coding program, its Trustworthy Computing initiative, of which Windows Vista will be one of the first graduates. (See The Vista-Forefront Security Two-Step.)
"Because of Microsoft's position in the software product market as a platform provider, it is significant that they have launched a broad security initiative," CERT's Seacord says. And Microsoft has already made one contribution: The ISO/IEC WG14 working group for the programming language C is developing standards based on a Microsoft library that remediates common programming errors, he says.
Meanwhile, enterprises must balance what features they need versus what security risks they can assume, Seacord says. "Attackers will naturally use the easiest route they can find. If that attack vector cannot be adequately defended because of other requirements, it makes little sense to expend significant resources eliminating one attack vector while leaving another vulnerable."
In other words, it doesn't make sense to lock your door if your window is rolled down, he says.
And although secure coding is ultimately up to the developers, IT managers, CIOs, and purchasing managers should include security as a primary concern in their purchasing and design decisions, Seacord says.
— The Staff of Dark Reading
About the Author
You May Also Like